diff options
| author | Martin Polden <mpolden@mpolden.no> | 2019-10-07 13:48:24 +0200 |
|---|---|---|
| committer | Martin Polden <mpolden@mpolden.no> | 2019-10-07 13:48:24 +0200 |
| commit | bd64dc62bfc7800c570f36514e98ac04b4c07988 (patch) | |
| tree | 8f513d96b86b749c2c5182e28af1441e1fdf6293 | |
| parent | 385ff3f0d79e76eba8c6cf688bc730fb14b0dd38 (diff) | |
Decode SAN IP address field from CSR
4 files changed, 28 insertions, 5 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java index 447b6efb09b..a4cf54063ec 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java @@ -43,7 +43,7 @@ public class Certificates { SHA256_WITH_ECDSA, X509CertificateBuilder.generateRandomSerialNumber()); for (var san : csr.getSubjectAlternativeNames()) { - builder = builder.addSubjectAlternativeName(san.getValue()); + builder = builder.addSubjectAlternativeName(san.decode()); } return builder.build(); } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java index 4946de93f6d..130a4ec5e66 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java @@ -47,13 +47,16 @@ public class CertificateTester { return createCsr(null); } - public static Pkcs10Csr createCsr(String dnsName) { + public static Pkcs10Csr createCsr(String dnsName, String... ipAddresses) { X500Principal subject = new X500Principal("CN=subject"); KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); var builder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA512_WITH_ECDSA); if (dnsName != null) { builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.DNS_NAME, dnsName); } + for (var ipAddress : ipAddresses) { + builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.IP_ADDRESS, ipAddress); + } return builder.build(); } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java index 80940dcd02c..fa86979656d 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java @@ -40,13 +40,18 @@ public class CertificatesTest { public void add_san_from_csr() throws Exception { var certificates = new Certificates(new ManualClock()); var dnsName = "host.example.com"; - var csr = CertificateTester.createCsr(dnsName); + var ip = "192.0.2.42"; + var csr = CertificateTester.createCsr(dnsName, ip); var certificate = certificates.create(csr, caCertificate, keyPair.getPrivate()); assertNotNull(certificate.getSubjectAlternativeNames()); - assertEquals(1, certificate.getSubjectAlternativeNames().size()); + assertEquals(2, certificate.getSubjectAlternativeNames().size()); + + var subjectAlternativeNames = List.copyOf(certificate.getSubjectAlternativeNames()); assertEquals(List.of(SubjectAlternativeName.Type.DNS_NAME.getTag(), dnsName), - certificate.getSubjectAlternativeNames().iterator().next()); + subjectAlternativeNames.get(0)); + assertEquals(List.of(SubjectAlternativeName.Type.IP_ADDRESS.getTag(), ip), + subjectAlternativeNames.get(1)); } } diff --git a/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java b/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java index 29395c75e70..81581c8146c 100644 --- a/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java +++ b/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java @@ -3,10 +3,13 @@ package com.yahoo.security; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.DERIA5String; +import org.bouncycastle.asn1.DEROctetString; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.asn1.x509.GeneralNames; +import java.net.InetAddress; +import java.net.UnknownHostException; import java.util.Arrays; import java.util.List; import java.util.Objects; @@ -43,6 +46,10 @@ public class SubjectAlternativeName { return new GeneralName(type.tag, value); } + public SubjectAlternativeName decode() { + return new SubjectAlternativeName(new GeneralName(type.tag, value)); + } + static List<SubjectAlternativeName> fromGeneralNames(GeneralNames generalNames) { return Arrays.stream(generalNames.getNames()).map(SubjectAlternativeName::new).collect(toList()); } @@ -56,6 +63,14 @@ public class SubjectAlternativeName { return DERIA5String.getInstance(name).getString(); case GeneralName.directoryName: return X500Name.getInstance(name).toString(); + case GeneralName.iPAddress: + var octets = DEROctetString.getInstance(name.toASN1Primitive()).getOctets(); + try { + return InetAddress.getByAddress(octets).getHostAddress(); + } catch (UnknownHostException e) { + // Only thrown if IP address is of invalid length, which is an illegal argument + throw new IllegalArgumentException(e); + } default: return name.toString(); } |